Prepare for v0.60.0

[nikpivkin]

Draft to collaborate on v0.60.0

📑 Table of Contents

• 🚀 What's new? 🚀

  • 📋 Summary table 📊
  • 🛈 Ability to select sources for vulnerability severity 🔋
  • 🌐 Dynamic VEX Retrieval from SBOM External References 🔗
  • 🏰 Rendering misconfiguration causes 🪭

• 👷‍♂️ Notable Fixes 🛠️

🚀 What's new? 🚀

📋 Summary table 📊

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

Now the report in table format includes a Summary table.
It shows the number of detected security issues.

Report Summary

┌───────────────────────────────┬────────┬─────────────────┬─────────┐
│            Target             │  Type  │ Vulnerabilities │ Secrets │
├───────────────────────────────┼────────┼─────────────────┼─────────┤
│ alpine:3.20.0 (alpine 3.20.0) │ alpine │       20        │    -    │
└───────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

We have also added the --table-mode flag, allowing you to enable/disable summary/detailed tables.

See https://trivy.dev/v0.60/docs/configuration/reporting/#table-mode for more details.

🛈 Ability to select sources for vulnerability severity 🔋

We have added a new flag --vuln-severity-source to set the order of vulnerability severity sources.
Now you can choose the best order for yourself. You can also use auto (the default value) to use Trivy's selection logic

See https://trivy.dev/v0.60/docs/scanner/vulnerability/#severity-selection_1 for more details.

🌐 Dynamic VEX Retrieval from SBOM External References 🔗

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

This update enhances Trivy's capabilities to dynamically load Vulnerability Exploitability eXchange (VEX) statements specified via "external references" in CycloneDX Software Bill of Materials (SBOMs). CycloneDX standard allows inclusion of external references, such as "exploitability-statement", which can point to URLs containing relevant VEX information. This enhancement aims to provide a more efficient and dynamic method for integrating VEX data into Trivy's vulnerability scanning process, leveraging existing SBOM structures.​

$ trivy sbom --vex sbom-ref trivy.cdx.json

Read the documentation for details.

Thanks to @RingoDev.

🏰 Rendering misconfiguration causes 🪭

Trivy is now able to render IaC files while showing misconfigurations. This is enabled by the --render-cause as shown below. Currently this feature is only supported for Terraform misconfiguration scanning.

trivy conf --render-cause=terraform main.tf
2024-11-01T17:19:19+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-11-01T17:19:19+06:00       INFO    [terraform scanner] Scanning root module        file_path="."
2024-11-01T17:19:19+06:00       INFO    Detected config files   num=2

main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 1)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:37
   via main.tf:31-41 (aws_network_acl_rule.public_inbound[0])
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31   resource "aws_network_acl_rule" "public_inbound" {
  32     network_acl_id = aws_network_acl.this.id
  33     count          = 2
  34     egress         = false
  35     rule_number    = var.public_inbound_acl_rules[count.index]["rule_number"]
  36     rule_action    = var.public_inbound_acl_rules[count.index]["rule_action"]
  37 [   protocol       = var.public_inbound_acl_rules[count.index]["protocol"]
  38     cidr_block     = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null)
  39     from_port      = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
  ..   
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Rendered cause:
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
resource "aws_network_acl_rule" "public_inbound[0]" {
  protocol = "all"
}
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

👷‍♂️ Notable Fixes 🛠️

• bug(misconf): AVD-DS-0001 started to trigger on variables #8438
• bug(misconf): Incorrect location of findings in k8s JSON scan #8072
• fix(checks): Only One Entrypoint false negative #8364
• fix(misconf): make protocol checks case-insensitive #8460
• trivy registry login fails for docker.io with "unknown resource type" error #8386
• bug(gobinary): Trivy fails when ldflags contain nested flags #8365
• bug(sarif): don't escape shortDescription and fullDescription fields #8342
• bug(report): empty Target for some SBOM files in image #8189
• Trivy client server mode not scanning secrets exposed in image, Trivy standalone works #6742 (thank @iamtraining)
• bug(spdx): panic when parse SPDX-tv file with files #8379
• bug(db): When several parallel Trivy processes download trivy-db - situation may arise when some processes will use empty trivy-db #8454